CVE-2025-27500: OpenZiti Endpoint Vulnerable to Stored Cross-Site Scripting Attack

OpenZiti is a popular free and open source project dedicated to enabling zero trust security for any application. Recently, a vulnerability has been discovered in an earlier version of OpenZiti that could potentially lead to a stored cross-site scripting (XSS) attack. This vulnerability exists within an endpoint (/api/upload) on the admin panel that could be accessed without any authentication. Thankfully, this issue has been addressed in the updated 3.7.1 version of OpenZiti, and the affected function has been disabled.

In this article, we will examine the details of the CVE-2025-27500 vulnerability, the potential exploit, and the implications of this security issue. Moreover, we will look at some code snippets and provide links to original references for further reading.

Vulnerability Details

The vulnerable endpoint, /api/upload, was designed to accept HTTP POST requests to upload a file. The uploaded file would be stored on the node and made accessible through a URL. If an attacker were to upload a malicious file containing malicious code and access the URL, the exploit could lead to a stored XSS attack.

In this case, the attacker's malicious code would be executed within the user's browser context, potentially giving the attacker access to sensitive data or control over the user's actions on the affected site.

The initial code snippet responsible for the vulnerability is as follows

app.post('/api/upload', (req, res) => {
  // ...code to handle file upload...
});

As the code shows, the /api/upload endpoint did not require authentication meaning any user, with or without authorization, could access it and potentially exploit the vulnerability.

Exploit

To exploit the vulnerability, an attacker could use a simple POST request containing a malicious file. The following is an example of an exploit using curl:

curl -X POST -H "Content-Type: application/javascript" [TARGET]/api/upload --data-binary "@malicious.js"

In this example, the attacker uploads a malicious "malicious.js" file to the vulnerable endpoint. If a user visits the URL where the uploaded file is stored, the malicious script is executed within the user's browser context, leading to the stored XSS attack.

Mitigation

As mentioned earlier, OpenZiti has fixed this vulnerability in version 3.7.1 by disabling the /api/upload endpoint:

Resolution Code Snippet

/*
app.post('/api/upload', (req, res) => {
  // ...code to handle file upload...
});
*/

It is recommended to upgrade your OpenZiti installation to version 3.7.1 or later to protect against this vulnerability.

For more information about the vulnerability, you can refer to the following resources

1. OpenZiti GitHub Repository: https://github.com/openziti/ziti-console
2. OpenZiti's official announcement of the fixed vulnerability: https://openziti.github.io/blog/2025/05/12/vulnerability-CVE-2025-27500-fixed.html

Conclusion

CVE-2025-27500 represents a critical vulnerability to OpenZiti's zero trust security model. It is crucial for developers and admins to be aware of such security issues and keep their software updated to ensure the safety of their applications. By staying informed about potential exploits and vulnerabilities, we can work together to create more secure systems and minimize the risks posed by cyber threats.

Timeline

Published on: 03/03/2025 19:15:36 UTC
Last modified on: 03/05/2025 20:30:38 UTC